Commit e337b853 authored by Thomas Gambier's avatar Thomas Gambier

Update Release Candidate

parents 45b42e27 87b81684
...@@ -57,3 +57,4 @@ configure-options = ...@@ -57,3 +57,4 @@ configure-options =
environment = environment =
LDFLAGS=-L${gettext:location}/lib -lintl -Wl,-rpath=${gettext:location}/lib -Wl,-rpath=${zlib:location}/lib LDFLAGS=-L${gettext:location}/lib -lintl -Wl,-rpath=${gettext:location}/lib -Wl,-rpath=${zlib:location}/lib
PATH=${texinfo7:location}/bin:${bison:location}/bin:${m4:location}/bin:%(PATH)s PATH=${texinfo7:location}/bin:${bison:location}/bin:${m4:location}/bin:%(PATH)s
BISON_PKGDATADIR=${bison:location}/share/bison
...@@ -76,7 +76,7 @@ environment = ...@@ -76,7 +76,7 @@ environment =
CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi -L${zlib:location}/lib/ -Wl,-rpath=${zlib:location}/lib/ LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi -L${zlib:location}/lib/ -Wl,-rpath=${zlib:location}/lib/
GLIB_CFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include GLIB_CFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
GLIB_LIBS=-L${glib:location}/lib -lglib-2.0 -lintl -lgobject-2.0 GLIB_LIBS=-L${glib:location}/lib -lglib-2.0 -lgobject-2.0
FFI_CFLAGS=-I${libffi:location}/include FFI_CFLAGS=-I${libffi:location}/include
FFI_LIBS=-L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi FFI_LIBS=-L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi
GIR_DIR=${buildout:parts-directory}/${:_buildout_section_name_}/share/gir-1.0 GIR_DIR=${buildout:parts-directory}/${:_buildout_section_name_}/share/gir-1.0
......
...@@ -14,6 +14,9 @@ extends = ...@@ -14,6 +14,9 @@ extends =
parts = parts =
glib glib
[gcc]
min_version = 8
[glib] [glib]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
shared = true shared = true
......
...@@ -805,7 +805,7 @@ class TestFrontendXForwardedFor(BalancerTestCase): ...@@ -805,7 +805,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
).json() ).json()
self.assertEqual(result['Incoming Headers'].get('x-forwarded-for', '').split(', ')[0], '1.2.3.4') self.assertEqual(result['Incoming Headers'].get('x-forwarded-for', '').split(', ')[0], '1.2.3.4')
def test_x_forwarded_for_stripped_when_not_verified_connection(self): def test_x_forwarded_for_stripped_when_no_certificate(self):
# type: () -> None # type: () -> None
balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default'] balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
result = requests.get( result = requests.get(
...@@ -813,7 +813,7 @@ class TestFrontendXForwardedFor(BalancerTestCase): ...@@ -813,7 +813,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
headers={'X-Forwarded-For': '1.2.3.4'}, headers={'X-Forwarded-For': '1.2.3.4'},
verify=False, verify=False,
).json() ).json()
self.assertNotEqual(result['Incoming Headers'].get('x-forwarded-for', '').split(', ')[0], '1.2.3.4') self.assertNotIn('x-fowarded-for', [k.lower() for k in result['Incoming Headers'].keys()])
balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth'] balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth']
with self.assertRaisesRegex(Exception, "certificate required"): with self.assertRaisesRegex(Exception, "certificate required"):
requests.get( requests.get(
...@@ -822,6 +822,32 @@ class TestFrontendXForwardedFor(BalancerTestCase): ...@@ -822,6 +822,32 @@ class TestFrontendXForwardedFor(BalancerTestCase):
verify=False, verify=False,
) )
def test_x_forwarded_for_stripped_when_not_verified_certificate(self):
# type: () -> None
balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
# certificate from an unknown CA
another_unrelated_caucase = self.getManagedResource('another_unrelated_caucase', CaucaseService)
unknown_client_certificate = self.getManagedResource('unknown_client_certificate', CaucaseCertificate)
unknown_client_certificate.request('unknown client certificate', another_unrelated_caucase)
result = requests.get(
balancer_url,
headers={'X-Forwarded-For': '1.2.3.4'},
cert=(unknown_client_certificate.cert_file, unknown_client_certificate.key_file),
verify=False,
).json()
self.assertNotIn('x-fowarded-for', [k.lower() for k in result['Incoming Headers'].keys()])
balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth']
with self.assertRaisesRegex(Exception, "unknown ca"):
requests.get(
balancer_url,
headers={'X-Forwarded-For': '1.2.3.4'},
cert=(unknown_client_certificate.cert_file, unknown_client_certificate.key_file),
verify=False,
)
class TestServerTLSProvidedCertificate(BalancerTestCase): class TestServerTLSProvidedCertificate(BalancerTestCase):
"""Check that certificate and key can be provided as instance parameters. """Check that certificate and key can be provided as instance parameters.
......
...@@ -18,7 +18,7 @@ md5sum = 7be0c21751f8385ef876c3d7192d4057 ...@@ -18,7 +18,7 @@ md5sum = 7be0c21751f8385ef876c3d7192d4057
[template-re6stnet] [template-re6stnet]
filename = instance-re6stnet.cfg.in filename = instance-re6stnet.cfg.in
md5sum = 01a24f1983a1d40f31c4b36b7a2448fe md5sum = 01da4462b5e20cab73b87e7415f7483d
[template-apache-conf] [template-apache-conf]
filename = apache.conf.in filename = apache.conf.in
......
...@@ -107,7 +107,7 @@ recipe = slapos.cookbook:wrapper ...@@ -107,7 +107,7 @@ recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:services}/re6st-registry wrapper-path = ${directory:services}/re6st-registry
pidfile = ${directory:run}/registry.pid pidfile = ${directory:run}/registry.pid
command-line = {{ bin_directory }}/re6st-registry @${re6st-registry-conf:output} command-line = {{ bin_directory }}/re6st-registry @${re6st-registry-conf:output}
hash-existing-files = ${re6st-registry-conf:output} hash-files = ${re6st-registry-conf:output}
[cron-entry-re6st-backup] [cron-entry-re6st-backup]
recipe = slapos.cookbook:cron.d recipe = slapos.cookbook:cron.d
......
...@@ -94,7 +94,7 @@ md5sum = b0751d3d12cfcc8934cb1027190f5e5e ...@@ -94,7 +94,7 @@ md5sum = b0751d3d12cfcc8934cb1027190f5e5e
[template-haproxy-cfg] [template-haproxy-cfg]
filename = haproxy.cfg.in filename = haproxy.cfg.in
md5sum = 1645ef8990ab2b50f91a4c02f0cf8882 md5sum = 85a8c0dadf7b648ef9748b6199dcfeb6
[template-rsyslogd-cfg] [template-rsyslogd-cfg]
filename = rsyslogd.cfg.in filename = rsyslogd.cfg.in
......
...@@ -154,7 +154,7 @@ defaults ...@@ -154,7 +154,7 @@ defaults
{% for name, (port, _, certificate_authentication, timeout, backend_list) in sorted(six.iteritems(parameter_dict['backend-dict'])) -%} {% for name, (port, _, certificate_authentication, timeout, backend_list) in sorted(six.iteritems(parameter_dict['backend-dict'])) -%}
listen family_{{ name }} listen family_{{ name }}
{%- if parameter_dict.get('ca-cert') -%} {%- if parameter_dict.get('ca-cert') -%}
{%- set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional' ) ~ ' crl-file ' ~ parameter_dict['crl'] %} {%- set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional crt-ignore-err all' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
{%- else %} {%- else %}
{%- set ssl_auth = '' %} {%- set ssl_auth = '' %}
{%- endif %} {%- endif %}
...@@ -173,11 +173,10 @@ listen family_{{ name }} ...@@ -173,11 +173,10 @@ listen family_{{ name }}
{%- endif %} {%- endif %}
# remove X-Forwarded-For unless client presented a verified certificate # remove X-Forwarded-For unless client presented a verified certificate
acl client_cert_verified ssl_c_used ssl_c_verify 0 http-request del-header X-Forwarded-For unless { ssl_c_verify 0 } { ssl_c_used 1 }
http-request del-header X-Forwarded-For unless client_cert_verified
# set Remote-User if client presented a verified certificate # set Remote-User if client presented a verified certificate
http-request del-header Remote-User http-request del-header Remote-User
http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if client_cert_verified http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_verify 0 } { ssl_c_used 1 }
# logs # logs
capture request header Referer len 512 capture request header Referer len 512
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment